[Dshield] PDF Spam Wave

M Cook dshieldlists at versateam.com
Fri Aug 3 23:15:37 GMT 2007


jayjwa wrote:
> I've read the diaries, so I do know others are seeing PDF spam. What I'd like 
> to see is if it's also spoofing your domains/hosts. Let me explain.
> 
> On Aug. 1st about midnight, a massive influx of mail started such that I never 
> saw. Mailservers from all over, places I never heard of, started trying to 
> deliver...something. These connections were about 2-3 per second, then after 
> about 6-7 hours slowed to 2-3 per minute. They all had "bounces" for a host on 
> the intranet. Only thing was, no one there ever sent any mail! They looked 
> like so:

I'm sorry, but what is your point again? This sort of thing has been 
going on for years -- the spoofed "from" address, the mail servers 
accepting the mail (instead of rejecting it) even though the addressees 
are bad, and after they have accepted the mail, they have to send it 
back -- and the only place they can send it to is the "from" address.

It's not just the PDF attachment -- or the zip attachment, or any other 
specific class of UCE.

The solution is for those who are running mail servers to reject (5xx 
code, in SMTP terms) if the address is bad, rather than accept and then 
send a bounce message. If the mail is rejected, the actual sender gets 
the message; if the mail is accepted then bounced, the spoofed "from" 
gets the message. Since this means the accepting server is contributing 
to the distribution of spam (even if it is in the bounce message) it 
needs to be considered a misconfiguration.

Those who have to put up with this spam blowback can't do much except 
remind those whose SMTP is doing it that there is a better way -- 
reject, don't accept-then-bounce.


More information about the list mailing list